Analysis
-
max time kernel
130s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21/12/2023, 22:56
Behavioral task
behavioral1
Sample
1cfc9408aa24c2be24ad3376087dc83b.exe
Resource
win7-20231215-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1cfc9408aa24c2be24ad3376087dc83b.exe
Resource
win10v2004-20231215-en
7 signatures
150 seconds
General
-
Target
1cfc9408aa24c2be24ad3376087dc83b.exe
-
Size
12.3MB
-
MD5
1cfc9408aa24c2be24ad3376087dc83b
-
SHA1
08dd088a1f1881477d4dd32d4c974f9cafcca77a
-
SHA256
6ca88c9e467778629605f0e02cd88922370593fd79ceb973ea6123583ec4afd3
-
SHA512
b10e8ad0e501e6109ea63ee5865cbb0eee10b27cf0bf658b9769ada0377d7e68eaee639df5489bd0609578c05988472d3c1d97dcfda92c6cd18f573450b8e31d
-
SSDEEP
196608:oHmeBUcSTIAsSRiR4UgRLuhFb9RZ8VGQ5tjMqoT/vNhat/qOcNDnJAMfiT75/:MlAhEMAhFZRZoGetjANh2uNrk
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4112-6-0x0000000000400000-0x0000000001B42000-memory.dmp vmprotect behavioral2/memory/4112-10-0x0000000000400000-0x0000000001B42000-memory.dmp vmprotect behavioral2/memory/4112-15-0x0000000000400000-0x0000000001B42000-memory.dmp vmprotect behavioral2/memory/4112-16-0x0000000000400000-0x0000000001B42000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 1cfc9408aa24c2be24ad3376087dc83b.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4112 1cfc9408aa24c2be24ad3376087dc83b.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4112 1cfc9408aa24c2be24ad3376087dc83b.exe 4112 1cfc9408aa24c2be24ad3376087dc83b.exe 4112 1cfc9408aa24c2be24ad3376087dc83b.exe 4112 1cfc9408aa24c2be24ad3376087dc83b.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 748 wmic.exe Token: SeSecurityPrivilege 748 wmic.exe Token: SeTakeOwnershipPrivilege 748 wmic.exe Token: SeLoadDriverPrivilege 748 wmic.exe Token: SeSystemProfilePrivilege 748 wmic.exe Token: SeSystemtimePrivilege 748 wmic.exe Token: SeProfSingleProcessPrivilege 748 wmic.exe Token: SeIncBasePriorityPrivilege 748 wmic.exe Token: SeCreatePagefilePrivilege 748 wmic.exe Token: SeBackupPrivilege 748 wmic.exe Token: SeRestorePrivilege 748 wmic.exe Token: SeShutdownPrivilege 748 wmic.exe Token: SeDebugPrivilege 748 wmic.exe Token: SeSystemEnvironmentPrivilege 748 wmic.exe Token: SeRemoteShutdownPrivilege 748 wmic.exe Token: SeUndockPrivilege 748 wmic.exe Token: SeManageVolumePrivilege 748 wmic.exe Token: 33 748 wmic.exe Token: 34 748 wmic.exe Token: 35 748 wmic.exe Token: 36 748 wmic.exe Token: SeIncreaseQuotaPrivilege 748 wmic.exe Token: SeSecurityPrivilege 748 wmic.exe Token: SeTakeOwnershipPrivilege 748 wmic.exe Token: SeLoadDriverPrivilege 748 wmic.exe Token: SeSystemProfilePrivilege 748 wmic.exe Token: SeSystemtimePrivilege 748 wmic.exe Token: SeProfSingleProcessPrivilege 748 wmic.exe Token: SeIncBasePriorityPrivilege 748 wmic.exe Token: SeCreatePagefilePrivilege 748 wmic.exe Token: SeBackupPrivilege 748 wmic.exe Token: SeRestorePrivilege 748 wmic.exe Token: SeShutdownPrivilege 748 wmic.exe Token: SeDebugPrivilege 748 wmic.exe Token: SeSystemEnvironmentPrivilege 748 wmic.exe Token: SeRemoteShutdownPrivilege 748 wmic.exe Token: SeUndockPrivilege 748 wmic.exe Token: SeManageVolumePrivilege 748 wmic.exe Token: 33 748 wmic.exe Token: 34 748 wmic.exe Token: 35 748 wmic.exe Token: 36 748 wmic.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4112 1cfc9408aa24c2be24ad3376087dc83b.exe 4112 1cfc9408aa24c2be24ad3376087dc83b.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4112 wrote to memory of 748 4112 1cfc9408aa24c2be24ad3376087dc83b.exe 92 PID 4112 wrote to memory of 748 4112 1cfc9408aa24c2be24ad3376087dc83b.exe 92 PID 4112 wrote to memory of 748 4112 1cfc9408aa24c2be24ad3376087dc83b.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe"C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic BaseBoard get SerialNumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:748
-